[squid-users] Mikrotik and Squid Transparent
Alex Samad
alex at samad.com.au
Fri Jun 26 12:14:52 UTC 2015
aren't squid and nat box different ? that was my presumption..
On 25 June 2015 at 19:07, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 25/06/2015 12:45 p.m., Alex Samad wrote:
>> Hi
>>
>> why this, doesn't this block all traffic getting to the squid port.
>> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>
> All external traffic yes. The NAT interception happens afterward and works.
>
> The point is that NAT intercept MUST only be done directly on the Squid
> machine. A single external connection being accepted will result in a
> forwarding loop DoS and the above protects against that.
>
>>
>>
>> what I would do to test is run tcpdump on the squid box and capture
>> all traffic coming to it on the squid listening port,
>
> IIRC, you can't do that because tcpdump operates before NAT. It will not
> show you the NAT'ed traffic arriving.
>
> Running Squid with -X or "debug_options ALL,9" would be better. You can
> see in cache.log what Squid is receiving and what the NAT de-mangling is
> actually doing.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list